Skip to main content

A Django app for handling reports from web browsers of violations of your website's HTTP Content Security Policy.

Project description

Django Content Security Policy Reports

Build Status

A Django app for handling reports from web browsers of violations of your website's content security policy.

This app does not handle the setting of the Content-Security-Policy HTTP headers, but deals with handling the reports that web browsers may submit to your site (via the report-uri) when the stated content security policy is violated.

It is recommended that you use an app such as django-csp (Github) to set the Content-Security-Policy headers.

So What Does This Thing Do?

It receives the reports from the browser and does any/all of the following with them:

  • Logs them using the python logging module.
  • Sends them to you via email.
  • Saves them to the database via a Django model.
  • Runs any of your own custom functions on them.
  • Can generate a summary of a reports.

Supported Django Versions

Supports Python 3.5 to 3.10 and Django 2.2 to 4.x (latest).

Python 2.7 support is available in version 1.4 and/or the python2.7-support branch.

How Do I Use This Thing?

  1. Install this app into your Django project, e.g. pip install django-csp-reports.
  2. Add 'cspreports' to your INSTALLED_APPS.
  3. Include cspreports.urls in your URL config somewhere, e.g. urlpatterns = [path('csp/', include('cspreports.urls'))].
  4. In your Content-Security-Policy HTTP headers, set reverse('report_csp') as the report-uri. (Note, with django-csp, you will want to set CSP_REPORT_URI = reverse_lazy('report_csp') in settings.py).
  5. Set all/any of the following in settings.py as you so desire, hopefully they are self-explanatory:
    • CSP_REPORTS_EMAIL_ADMINS (bool defaults to True).

    • CSP_REPORTS_LOG (bool, whether or not to log the reporting using the python logging module, defaults to True).

    • CSP_REPORTS_LOG_LEVEL (str, one of the Python logging module's available log functions, defaults to 'warning').

    • CSP_REPORTS_SAVE (bool defaults to True). Determines whether the reports are saved to the database.

    • CSP_REPORTS_ADDITIONAL_HANDLERS (iterable defaults to []).

      • Each value should be a dot-separated string path to a function which you want be called when a report is received.
      • Each function is passed the HttpRequest of the CSP report.
    • CSP_REPORTS_FILTER_FUNCTION (str of dotted path to a callable, defaults to None).

      • If set, the specificed function is passed each HttpRequest object of the CSP report before it's processed. Only requests for which the function returns True are processed.
      • You may want to set this to "cspreports.filters.filter_browser_extensions" as a starting point.
    • CSP_REPORTS_LOGGER_NAME (str defaults to CSP Reports). Specifies the logger name that will be used for logging CSP reports, if enabled.

    • CSP_REPORTS_MODEL (<app_label>.<model_name> defaults to "cspreports.CSPReport"). Specifies the model to be used for storing the CSP reports. You can easily extend the model by implementing the abstract base class cspreports.models.CSPReportBase and adding your additional fields to it:

      # your_app.model.py
      from cspreports.models import CSPReportBase
      
      class CustomCSPReport(CSPReportBase):
          # Add your fields here
          pass
      
      # settings.py
      
      CSP_REPORTS_MODEL = "your_app.CustomCSPReport"
      
  6. Set a cron to generate summaries.
  7. Enjoy.

Commands

clean_cspreports

Deletes old reports from the database.

Options:

  • --limit - timestamp that all reports created since will not be deleted. Defaults to 1 week. Accepts any string that can be parsed as a datetime.

make_csp_summary

Generates a summary of CSP reports.

By default includes reports from yesterday (00:00:00 to midnight). The summary shows the top 10 violation sources (i.e. pages from which violations were reported), the top 10 blocked URIs (banned resources which the pages tried to load), and the top 10 invalid reports (which the browser provided an invalid CSP report).

Options:

  • --since - timestamp of the oldest reports to include. Accepts any string that can be parsed as a datetime.
  • --to - timestamp of the newest reports to include. Accepts any string that can be parsed as a datetime.
  • --top - limit of how many examples to show. Default is 10.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-csp-reports-1.9.0.tar.gz (14.3 kB view details)

Uploaded Source

Built Distribution

django_csp_reports-1.9.0-py3-none-any.whl (25.6 kB view details)

Uploaded Python 3

File details

Details for the file django-csp-reports-1.9.0.tar.gz.

File metadata

  • Download URL: django-csp-reports-1.9.0.tar.gz
  • Upload date:
  • Size: 14.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.6

File hashes

Hashes for django-csp-reports-1.9.0.tar.gz
Algorithm Hash digest
SHA256 c2a9c14b0f84974ccfa8e249b9e14bfa3c6dbb0587e5073931891664c37d0fd7
MD5 1bbeaa8f5e6cb08c7cecdfd68e69bea6
BLAKE2b-256 be2dfe61cd713e6da5e2cf625c282dfb60c34a96a4b21c34478e009734f63ff9

See more details on using hashes here.

File details

Details for the file django_csp_reports-1.9.0-py3-none-any.whl.

File metadata

File hashes

Hashes for django_csp_reports-1.9.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0bc780cdd1005b059c7564fbbbc6e36e208c9707e74b29c4db6c5b65a653854b
MD5 09225a1ef7f36318354d2d080479da43
BLAKE2b-256 8acc16d1263062e9101c37f390e05cb5fa032ba27da5c9d26be2c6ce6a3416d2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page